CVE-2022-1473Incomplete Cleanup in Openssl

CWE-459Incomplete CleanupCWE-404Improper Resource Shutdown or ReleaseCWE-401Missing Release of Memory after Effective Lifetime15 documents7 sources
Severity
7.5HIGHNVD
OSV7.3
EPSS
0.3%
top 43.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OpensslDebian Openssl
Timeline
PublishedMay 3
Latest updateJun 15

Description

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically s

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDopenssl/openssl3.0.03.0.3
Alpineopenssl/openssl< 3.0.3-r0+6
Ubuntuopenssl/openssl< 1.1.1-1ubuntu2.1~18.04.17+3
CVEListV5openssl/opensslFixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2)

🔴Vulnerability Details

6
OSV
openssl vulnerabilities2022-05-26
GHSA
Resource leakage when decoding certificates and keys2022-05-04
OSV
openssl, openssl1.0 vulnerabilities2022-05-04
OSV
Resource leakage when decoding certificates and keys2022-05-04
OSV
CVE-2022-1473: The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entrie2022-05-03

📋Vendor Advisories

8
CISA ICS
​Siemens SINAMICS Medium Voltage Products2023-06-15
CISA ICS
Siemens SIMATIC S7-1500 TM MFP Linux Kernel2023-06-15
CISA ICS
Siemens SCALANCE, RUGGEDCOM Third-Party2023-03-16
CISA ICS
Siemens Brownfield Connectivity Client2023-02-16
Ubuntu
OpenSSL vulnerabilities2022-05-26
CVE-2022-1473 — Incomplete Cleanup in Openssl | cvebase